openstack/swift
Code Issues Proposed changes
cf1c44dff0
swift/test/unit/common/middleware
History
Tim Burke f3ef616dc6 Stop using client headers for cross-middleware communication 
Previously, Swift3 used client-facing HTTP headers to pass the S3 access
key, signature, and normalized request through the WSGI pipeline.
However, tempauth did not validate that Swift3 actually set the headers;
as a result, an attacker who has captured either a single valid S3-style
temporary URL or a single valid request through the S3 API may impersonate
the user that signed the URL or issued the request indefinitely through
the Swift API.

Now, the S3 authentication information will be taken from a separate
namespace in the WSGI environment, completely inaccessible to the
client. Specifically,

    environ['swift3.auth_details'] = {
        'access_key': <access key>,
        'signature': <signature>,
        'string_to_sign': <normalized request>,
    }

Note that tempauth is not expected to be in production use, but may have
been used as a template by other authentication middlewares to add their
own Swift3 support.

Change-Id: Ib90adcc2f059adaf203fba1c95b2154561ea7487
Related-Change: Ia3fbb4938f0daa8845cba4137a01cc43bc1a713c
2017-02-27 17:35:13 +00:00
..
crypto Removes unnecessary utf-8 encoding 2016-12-22 10:49:56 +07:00
__init__.py Initial commit of middleware refactor 2010-08-20 00:42:38 +00:00
helpers.py Reduce backend requests for SLO If-Match / HEAD requests 2016-11-21 14:39:50 -08:00
test_account_quotas.py Correctly send 412 Precondition Failed in copy middleware 2016-11-17 17:48:24 +00:00
test_acl.py pep8 fix: assertEquals -> assertEqual 2015-10-11 12:57:25 +02:00
test_bulk.py Fix intermittent bulk delete unit test failures 2016-06-29 14:30:39 -07:00
test_cname_lookup.py Do not follow CNAME when host is in storage_domain 2017-02-23 10:39:05 +01:00
test_container_sync.py Make container sync copy SLO manifests 2016-09-14 13:32:00 +01:00
test_copy.py Merge "Default object_post_as_copy to False" 2017-01-24 20:58:34 +00:00
test_crossdomain.py pep8 fix: assertEquals -> assertEqual 2015-10-11 12:57:25 +02:00
test_dlo.py Let users know entity size in 416 responses 2016-11-30 10:52:08 -08:00
test_domain_remap.py pep8 fix: assertEquals -> assertEqual 2015-10-11 12:57:25 +02:00
test_except.py Mirror X-Trans-Id to X-Openstack-Request-Id 2016-10-30 20:02:39 -07:00
test_formpost.py Replace 'assertTrue(a not in b)' with 'assertNotIn(a, b)' 2016-12-12 16:23:09 +07:00
test_gatekeeper.py Replace 'assertTrue(a not in b)' with 'assertNotIn(a, b)' 2016-12-12 16:23:09 +07:00
test_healthcheck.py pep8 fix: assertEquals -> assertEqual 2015-10-11 12:57:25 +02:00
test_keystoneauth.py Improve Keystone v3 token support 2016-07-11 14:05:50 +00:00
test_list_endpoints.py change default ports for servers 2016-04-29 14:47:38 -04:00
test_memcache.py pep8 fix: assertEquals -> assertEqual 2015-10-11 12:57:25 +02:00
test_name_check.py pep8 fix: assertEquals -> assertEqual 2015-10-11 12:57:25 +02:00
test_proxy_logging.py Remove some cruft in test_proxy_logging 2017-01-30 16:05:23 -08:00
test_quotas.py Correctly send 412 Precondition Failed in copy middleware 2016-11-17 17:48:24 +00:00
test_ratelimit.py Use the same key for memcache and env['swift.infocache'] 2016-05-16 18:43:32 -07:00
test_recon.py Refactor recon to use single md5_hash_for_file function 2016-12-02 18:22:59 +00:00
test_slo.py Merge "Confirm receipt of SLO PUT with etag" 2017-01-16 20:37:02 +00:00
test_staticweb.py Replace 'assertTrue(a not in b)' with 'assertNotIn(a, b)' 2016-12-12 16:23:09 +07:00
test_tempauth.py Stop using client headers for cross-middleware communication 2017-02-27 17:35:13 +00:00
test_tempurl.py ISO 8601 timestamps for tempurl 2017-01-24 17:38:48 +01:00
test_versioned_writes.py fix word spelling mistake 2016-09-30 16:43:54 +08:00
test_xprofile.py Use assertGreater(len(x), 0) instead of assertTrue(len(x) > 0) 2016-12-08 15:45:24 +07:00